Impact
Cross-site scripting (XSS) vulnerability in the User CP module allows remote authenticated users to inject HTML via the user email field, triggered on the User CP Home page.
Modification of user's own email address requires providing the account password.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Patches
MyBB 1.8.34 resolves this issue with the following changes:
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.
Impact
Cross-site scripting (XSS) vulnerability in the User CP module allows remote authenticated users to inject HTML via the user email field, triggered on the User CP Home page.
Modification of user's own email address requires providing the account password.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Patches
MyBB 1.8.34 resolves this issue with the following changes:
.patch: https://github.com/mybb/mybb/commit/d6a57e496dc46b56bccc4d1afbc6ffc33a14738c.patchReferences
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.